Bug 910805 (CVE-2014-8146) - VUL-1: CVE-2014-8146: libreoffice: heap overflow
Summary: VUL-1: CVE-2014-8146: libreoffice: heap overflow
Status: RESOLVED FIXED
: 927951 (view as bug list)
Alias: CVE-2014-8146
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2015-04-08
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:61296:moderate CVSSv2:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-19 11:16 UTC by Alexander Bergmann
Modified: 2016-07-01 14:12 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Alexander Bergmann 2014-12-19 11:19:06 UTC 
CVE-2014-8146 was assigned to this issue.
Comment 4 Swamp Workflow Management 2014-12-19 23:00:35 UTC 
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2015-03-25 09:52:19 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61296
Comment 6 Andreas Stieger 2015-04-24 15:09:19 UTC 
*** Bug 927951 has been marked as a duplicate of this bug. ***
Comment 8 Tomáš Chvátal 2015-04-28 10:41:40 UTC 
SLE11 might be affected, will be fixed with the fate-update.
SLE12/openSUSE not affected, we use system ICU. If anything this should probably be reported against icu and we should patch that on affected systems.
Comment 9 Marcus Meissner 2015-10-07 13:11:10 UTC 
is public now

http://openwall.com/lists/oss-security/2015/05/05/6

The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.
Comment 10 Swamp Workflow Management 2015-11-05 08:14:47 UTC 
SUSE-SU-2015:1915-1: An update that solves 7 vulnerabilities and has 16 fixes is now available.

Category: security (moderate)
Bug References: 470073,806250,829430,890735,900186,900877,907966,910805,910806,913042,914911,915996,916181,918852,919409,926375,929793,934423,936188,936190,940838,943075,945692
CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2015-1774,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    apache-commons-logging-1.1.3-7.1, cmis-client-0.5.0-5.1, flute-1.3.0-4.2, hyphen-2.8.8-9.1, libabw-0.1.1-5.3, libbase-1.1.3-4.3, libcdr-0.1.1-5.3, libe-book-0.1.2-4.2, libetonyek-0.1.3-3.5, libfonts-1.1.3-4.9, libformula-1.1.3-4.3, libfreehand-0.1.1-4.9, libgltf-0.0.1-2.1, libixion-0.9.1-3.1, liblangtag-0.5.7-3.1, liblayout-0.2.10-4.8, libloader-1.1.3-3.2, libmspub-0.1.2-5.1, libmwaw-0.3.6-3.3, libodfgen-0.1.4-3.9, liborcus-0.7.1-3.1, libpagemaker-0.0.2-2.3, libreoffice-5.0.2.2-13.14, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-6.3, librepository-1.1.3-4.3, librevenge-0.0.2-4.1, libserializer-1.1.2-4.3, libvisio-0.1.3-4.3, libvoikko-3.7.1-3.1, libwps-0.4.1-3.1, malaga-suomi-1.18-3.2, myspell-dictionaries-20150827-5.1, pentaho-libxml-1.1.3-4.3, pentaho-reporting-flow-engine-0.9.4-4.5, sac-1.3-4.1
SUSE Linux Enterprise Software Development Kit 12 (src):    cmis-client-0.5.0-5.1, graphite2-1.3.1-3.1, hyphen-2.8.8-9.1, libabw-0.1.1-5.3, libcdr-0.1.1-5.3, libe-book-0.1.2-4.2, libetonyek-0.1.3-3.5, libfreehand-0.1.1-4.9, libixion-0.9.1-3.1, liblangtag-0.5.7-3.1, libmspub-0.1.2-5.1, libmwaw-0.3.6-3.3, libodfgen-0.1.4-3.9, liborcus-0.7.1-3.1, librevenge-0.0.2-4.1, libvisio-0.1.3-4.3, libvoikko-3.7.1-3.1, libwps-0.4.1-3.1, malaga-suomi-1.18-3.2
SUSE Linux Enterprise Server 12 (src):    apache-commons-logging-1.1.3-7.1, graphite2-1.3.1-3.1
SUSE Linux Enterprise Desktop 12 (src):    apache-commons-logging-1.1.3-7.1, cmis-client-0.5.0-5.1, flute-1.3.0-4.2, graphite2-1.3.1-3.1, hyphen-2.8.8-9.1, libabw-0.1.1-5.3, libbase-1.1.3-4.3, libcdr-0.1.1-5.3, libe-book-0.1.2-4.2, libetonyek-0.1.3-3.5, libfonts-1.1.3-4.9, libformula-1.1.3-4.3, libfreehand-0.1.1-4.9, libgltf-0.0.1-2.1, libixion-0.9.1-3.1, liblangtag-0.5.7-3.1, liblayout-0.2.10-4.8, libloader-1.1.3-3.2, libmspub-0.1.2-5.1, libmwaw-0.3.6-3.3, libodfgen-0.1.4-3.9, liborcus-0.7.1-3.1, libpagemaker-0.0.2-2.3, libreoffice-5.0.2.2-13.14, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-6.3, librepository-1.1.3-4.3, librevenge-0.0.2-4.1, libserializer-1.1.2-4.3, libvisio-0.1.3-4.3, libvoikko-3.7.1-3.1, libwps-0.4.1-3.1, malaga-suomi-1.18-3.2, myspell-dictionaries-20150827-5.1, pentaho-libxml-1.1.3-4.3, pentaho-reporting-flow-engine-0.9.4-4.5, sac-1.3-4.1
Comment 11 Bernhard Wiedemann 2015-11-05 10:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (910805) was mentioned in
https://build.opensuse.org/request/show/342524 Factory / libreoffice
Comment 12 Bernhard Wiedemann 2015-11-09 21:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (910805) was mentioned in
https://build.opensuse.org/request/show/343268 Factory / libreoffice
Comment 13 Bernhard Wiedemann 2015-11-10 13:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (910805) was mentioned in
https://build.opensuse.org/request/show/343412 Leap:42.1 / libreoffice
Comment 14 Bernhard Wiedemann 2015-11-11 14:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (910805) was mentioned in
https://build.opensuse.org/request/show/343845 Leap:42.1 / libreoffice.1176.openSUSE_Leap_42.1_Update
Comment 15 Swamp Workflow Management 2016-02-03 16:14:36 UTC 
SUSE-SU-2016:0324-1: An update that solves 7 vulnerabilities and has 19 fixes is now available.

Category: security (moderate)
Bug References: 306333,547549,668145,679938,681560,688200,718113,806250,857026,889755,890735,907636,907966,910805,910806,914911,934423,936188,936190,939996,940838,943075,945047,945692,951579,954345
CVE References: CVE-2014-8146,CVE-2014-8147,CVE-2014-9093,CVE-2015-4551,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    google-carlito-fonts-1.1.03.beta1-2.1, hyphen-2.8.8-2.1, libreoffice-5.0.4.2-23.1, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-2.26, libvoikko-3.7.1-5.2, myspell-dictionaries-20150827-23.1, mythes-1.2.4-2.1, python-importlib-1.0.2-0.8.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    google-carlito-fonts-1.1.03.beta1-2.1, hyphen-2.8.8-2.1, libreoffice-5.0.4.2-23.1, libreoffice-share-linker-1-2.1, libreoffice-voikko-4.1-2.26, libvoikko-3.7.1-5.2, myspell-dictionaries-20150827-23.1, mythes-1.2.4-2.1, python-importlib-1.0.2-0.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    hyphen-2.8.8-2.1, libreoffice-5.0.4.2-23.1, libvoikko-3.7.1-5.2, mythes-1.2.4-2.1
Comment 16 Marcus Meissner 2016-02-10 07:33:03 UTC 
released
Comment 17 Swamp Workflow Management 2016-02-26 00:13:22 UTC 
openSUSE-SU-2016:0588-1: An update that solves 9 vulnerabilities and has 15 fixes is now available.

Category: security (moderate)
Bug References: 679938,829430,889755,897903,900186,900214,900218,907636,910805,910806,915996,916181,926375,929793,934423,936188,936190,939996,940838,943075,945047,945692,951579,954345
CVE References: CVE-2014-3693,CVE-2014-8146,CVE-2014-8147,CVE-2014-9093,CVE-2015-4551,CVE-2015-45513,CVE-2015-5212,CVE-2015-5213,CVE-2015-5214
Sources used:
openSUSE 13.2 (src):    cmis-client-0.5.0-4.3.2, libetonyek-0.1.3-2.3.2, libmwaw-0.3.6-2.7.2, libodfgen-0.1.4-2.3.2, libpagemaker-0.0.2-2.2, libreoffice-5.0.4.2-28.1, libreoffice-share-linker-1-2.2, libwps-0.4.1-2.4.2, mdds-0.12.1-2.4.2